AMENDMENTS TO THE SPECIFICATION 



Please replace the paragraph beginning on page 2, line 15 with the following 
amended paragraph: 

5 

FIG. 1A illustrates a representative example of a single security sensitive 
event formatted to mak e i f make it readable by a human. 

Please replace the paragraph beginning on page 3, line 15 with the following 
10 amended paragraph: 

Fig. 1 is a block diagram of a system 100 for storing events to enhance 
intrusion detection. System 100 includes a plurality of computers 102, 106 and 
a network 101. Although system 100 Includes computers 102, 106 for 

15 illustration purposes, different numbers of devices and network topologies may 
be included. Additionally, some or the of the data structures (to be described) 
as well as modules shown in system 100 can be implemented within a 
computing device, such as computer 106, or can be distributed within a 
computing system having more than one computing device. See the 

20 description of "Exemplary Computing System and Environment" below for 
specific examples and implementations of networks, computing systems, 
computing devices, and components that can be used to implement the 
described implementations, including computers 102, 106 and network 101. 
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Please replace the paragraph beginning on page 5, line 8 with the following 
amended paragraph: 

The "header section" is a fixed length section of the event and has 
5 several fields, including: and e v e n t an event type (success/failure), event 
source, event category, event identification, date, time, user name and 
computer name (see FIG. 1 A). 

Please replace the paragraph beginning on page 5, line 1 1 with the following 
10 amended paragraph: 

The "data section" is a variable length section of the event that is stored 
In-a s stored as set of strings. The number of strings present varies according to 
the "event Identification" in the Event Header Section. For example, event 
15 0x272(==626 decimal) contains six strings: foo, KUMARPDOIVI, 
KUMARPDOMXfoo, Administrator, KUMARPDOIVI, (0x0, 0x237CE5) (see FIG. 
1A). 

Please replace the paragraph beginning on page 5, line 16 with the following 
20 amended paragraph: 

The "event identification" (also referred to e v e n t to as event ID) identifies 
the type of event. 
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Please replace the paragraph beginning on page 5, line 20 with the following 
amended paragraph: 

"Fi e ld (or e v e nt f ie ld)" "Field" for event field) means one of the strings in 
5 the data section of an event. 

Please replace the paragraph beginning on page 6, line 5 with the following 
amended paragraph: 

10 FIG. 1A illustrates a representative example of a single security sensitive 

event fomiatted to mak e i f make it readable by a human, but stored in the event 
log. 

Please replace the paragraph beginning on page 6, line 1 1 with the following 
15 amended paragraph: 

In this example, the value "0x0272" is the event identification (the Ox 
prefix indicates the number is in hexadecimal format). Generally, the event 
Identification follows the header text ''Message[d=", regardless of the event 
20 type. Other formats could of course be used in other systems. In general, the 
event identification will compr i s e s comprise code, text or an identification 
number, at a consistent or identifiable location within the event, that identify the 
particular type of event and corresponding security sensitive event. 
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Please replace the paragraph beginning on page 6, line 23 with the following 
amended paragraph: 

In this example, each event descriptor comprises a descriptive phrase 
5 followed by a value. For example, the first descriptor in the above example 
contains the descriptive phrase "Target Account Name:", followed by a value. 
The values of the multiple descriptors can be in the form of numbers, text, or 
other information. They provide actual information about the event that 
corresponds to the event. Generally, the initial descriptive phrase describes the 

10 nature of the value that follows. For instance, if the descriptive phrase of the 
event descriptor is "logon ID," then the value that follows the descriptive phrase 
corresponds to the actual alphanumeric logon ID that was used in conjunction 
with the event corresponding to the event. As another example, if the 
descriptive phrase of the event descriptor is "target account" then the value that 

15 follows the descriptive phrase indicat e indicates the actual alphanumeric target 
account number used in conjunction with the event corresponding to the event. 
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